Gone are the days when Cybersecurity Maturity Model Certification (CMMC) was the issue keeping us up at night. Now that COVID-19 coverage has overtaken the news cycle and upended government and businesses alike, it has been hard to focus on anything else but coronavirus. But, according to the Department of Defense (DoD), the show must go on despite the disruption coronavirus has caused to the workforce. In fact, CMMC milestones and deadlines are still being executed on a tight clip.
Many already viewed the process of trying to meet or assess their level of compliance as a financial burden which is now compounded by operating with a largely remote workforce. However, in light of increased cyber attacks against government networks and the private sector, implementing CMMC requirements – especially now – may actually be a blessing. CMMC requires government contractors to achieve certain cybersecurity standards in order to qualify for contract awards. But these standards are also designed to protect the networks of government contractors too regardless of the goods or services they provide to the Defense Industrial Base (DIB).
In reality, the much anticipated CMMC is good for business – government contractors or not. While the new 5-tiered certification requirements sound like a big undertaking, many small to medium-sized DoD contractors already fall in Level 2 or 3 and large defense contractors are likely going to have already acquired the capabilities to be in Tiers 4 or 5.
CMMC embraces a true collaborative risk management approach that will help contractors and DoD clients alike to better manage risk. It helps organizations implement security controls for when – not if – a cyber incident occurs. This new framework helps a company prepare for and prevent cyber incidents; paving the way for companies to recover from a cyber incident without penalization or crippling financial outcomes. With CMMC tiered requirements expected to go into effect as early as this summer, it’s important for contractors to assess their current CMMC readiness since DoD RFPs will require specific CMMC level ratings to qualify for contract awards.
How we went from DFARS to CMMC
CMMC can be best described as a new and improved version of DFARS requirements. DFARS has been used to assess a company’s cybersecurity efforts and compliance with DoD cybersecurity requirements post-award. The government found that companies were falsely claiming compliance during the RFP process. Many companies ended up receiving penalties for misrepresenting themselves, but the real impacts were ultimately felt by DoD – their networks and data were put at risk. Welcome the new CMMC model, which contrasts DFARS in that it is designed to assess security control policies, implementation and documentation prior to contract award. The evaluations will certify companies between levels 1 to 5, 5 being the most mature and robust cybersecurity practices.
Best practices for obtaining and sustaining your CMMC rating
When it comes to reaching Tiers 3, 4, and 5, it’s all about establishing policies and procedures that work for that specific organization, whether it is a five-person shop or a multi-national company. When striving for top-notch cybersecurity practices, it’s important to keep a few key things in mind. First, while organizations can buy the best, most expensive tools, it may not be a solution that fits their needs. Secondly, having an idea of how they will respond when a disaster strikes is vital when aiming to keep systems running. No matter which tools you select, investing in training your staff is key to ensure that you’re getting the expected benefits from the tool.
It’s critical for organizations to say what they do and do what they say. Cybersecurity standards aren’t just important when they’re being assessed and certified. It’s a daily practice that shouldn’t fall to the wayside.
CMMC is not just for IT companies
The IT and cybersecurity community has had a watchful eye on the progress of CMMC milestones, but for companies that are part of the DIB supply chain – even facilities contractors and suppliers – will need to institute the minimum requirements. In these cases, contractors should budget for assistance or consultants and if they already are contracted with DoD they should work closely with their contracting officers to validate the level they are required to meet.
Though these requirements seem burdensome, it is important to keep in mind that CMMC is quite simply good for business – government contractors or not. Even Tier 1 and 2 requirements will help any company protect their client information and their internal crown jewels. Meeting these standards will demonstrate that your company can do the right things, in the right way to minimize risk of loss. In the end, CMMC is really just a change of procedure that will result in efficiencies by preventing things upfront that will create better efficiencies downstream.
Geoff Pierce is chief information security officer at Centauri.